asyncrat | 32518775226efb9813e62e4fe5d66050bc7118ac804c8d08aeace793bd9ef635

General

Target

530d1ec61a39f8b6112030f84d2e385c.exe
Size

598KB
MD5

530d1ec61a39f8b6112030f84d2e385c
SHA1

b3fb31734bc0589f5667bf4b427588f005276879
SHA256

32518775226efb9813e62e4fe5d66050bc7118ac804c8d08aeace793bd9ef635
SHA512

0534fa386dbfba9386ddd522a2eb7e2a42d3f186c69cbbfa7fc6b1293e8435569a48cb90ad1c4aa2daadfc192ddd73aa5c50cec1795808c017a810f09b858c87

Score

10^/10

asyncrat rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

C2

agentttt.ac.ug:6970

agentpurple.ac.ug:6970

Mutex

AsyncMutex_6SI8OkPnk

Attributes

aes_key
16dw6EDbQkYZp5BTs7cmLUicVtOA4UQr
anti_detection
false
autorun
false
bdos
false
delay
Default
host
agentttt.ac.ug,agentpurple.ac.ug
hwid
3
install_file
install_folder
%AppData%
mutex
AsyncMutex_6SI8OkPnk
pastebin_config
null
port
6970
version
0.5.7B

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/584-13-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat
behavioral2/memory/584-14-0x000000000040C76E-mapping.dmp	asyncrat

Suspicious use of SetThreadContext 1 IoCs

Processes:

530d1ec61a39f8b6112030f84d2e385c.exe

description pid process target process

PID 1404 set thread context of 584 1404 530d1ec61a39f8b6112030f84d2e385c.exe 530d1ec61a39f8b6112030f84d2e385c.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2232 schtasks.exe

description	pid	process	target process
PID 1404 set thread context of 584	1404	530d1ec61a39f8b6112030f84d2e385c.exe	530d1ec61a39f8b6112030f84d2e385c.exe

pid	process
2232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

530d1ec61a39f8b6112030f84d2e385c.exe

pid	process
1404	530d1ec61a39f8b6112030f84d2e385c.exe
1404	530d1ec61a39f8b6112030f84d2e385c.exe
1404	530d1ec61a39f8b6112030f84d2e385c.exe
1404	530d1ec61a39f8b6112030f84d2e385c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

530d1ec61a39f8b6112030f84d2e385c.exe

description pid process

Token: SeDebugPrivilege 1404 530d1ec61a39f8b6112030f84d2e385c.exe

description	pid	process
Token: SeDebugPrivilege	1404	530d1ec61a39f8b6112030f84d2e385c.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

530d1ec61a39f8b6112030f84d2e385c.exe

C:\Users\Admin\AppData\Local\Temp\530d1ec61a39f8b6112030f84d2e385c.exe
"C:\Users\Admin\AppData\Local\Temp\530d1ec61a39f8b6112030f84d2e385c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yZAWqQvETlvf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1907.tmp"
2⤵
- Creates scheduled task(s)
PID:2232

C:\Users\Admin\AppData\Local\Temp\530d1ec61a39f8b6112030f84d2e385c.exe
"{path}"
2⤵
PID:2756

C:\Users\Admin\AppData\Local\Temp\530d1ec61a39f8b6112030f84d2e385c.exe
"{path}"
2⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\530d1ec61a39f8b6112030f84d2e385c.exe
"{path}"
2⤵
PID:584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\530d1ec61a39f8b6112030f84d2e385c.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1907.tmp
MD5
cef14363607a90270c88b4c2d003141c

SHA1
72a1d4a59351f64f8d1fd637f002cd6462087a0d

SHA256
7d89ea4552adde9615a8cf89d83aaba656c8d8a0dd7710a0c281a5128c43c46e

SHA512
b0b7facb2dd713eb248e32fc593262200fb05941647a93146771b5e48cd0a7d01e81a8d38106656ff152e4d3c81a4c265c9f3a9e3b31c078e852cb4c5c1f4d18

Download Submit
memory/584-16-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/584-14-0x000000000040C76E-mapping.dmp

Download
memory/584-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1404-6-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/1404-9-0x00000000059C0000-0x0000000005A31000-memory.dmp

Filesize
452KB

Download
memory/1404-10-0x0000000006280000-0x0000000006281000-memory.dmp

Filesize
4KB

Download
memory/1404-8-0x0000000005410000-0x000000000541E000-memory.dmp

Filesize
56KB

Download
memory/1404-7-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/1404-2-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/1404-5-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/1404-3-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/2232-11-0x0000000000000000-mapping.dmp

Download

description	pid	process	target process
PID 1404 wrote to memory of 2232	1404	530d1ec61a39f8b6112030f84d2e385c.exe	schtasks.exe
PID 1404 wrote to memory of 2232	1404	530d1ec61a39f8b6112030f84d2e385c.exe	schtasks.exe
PID 1404 wrote to memory of 2232	1404	530d1ec61a39f8b6112030f84d2e385c.exe	schtasks.exe
PID 1404 wrote to memory of 2756	1404	530d1ec61a39f8b6112030f84d2e385c.exe	530d1ec61a39f8b6112030f84d2e385c.exe
PID 1404 wrote to memory of 2756	1404	530d1ec61a39f8b6112030f84d2e385c.exe	530d1ec61a39f8b6112030f84d2e385c.exe
PID 1404 wrote to memory of 2756	1404	530d1ec61a39f8b6112030f84d2e385c.exe	530d1ec61a39f8b6112030f84d2e385c.exe
PID 1404 wrote to memory of 2168	1404	530d1ec61a39f8b6112030f84d2e385c.exe	530d1ec61a39f8b6112030f84d2e385c.exe
PID 1404 wrote to memory of 2168	1404	530d1ec61a39f8b6112030f84d2e385c.exe	530d1ec61a39f8b6112030f84d2e385c.exe
PID 1404 wrote to memory of 2168	1404	530d1ec61a39f8b6112030f84d2e385c.exe	530d1ec61a39f8b6112030f84d2e385c.exe
PID 1404 wrote to memory of 584	1404	530d1ec61a39f8b6112030f84d2e385c.exe	530d1ec61a39f8b6112030f84d2e385c.exe
PID 1404 wrote to memory of 584	1404	530d1ec61a39f8b6112030f84d2e385c.exe	530d1ec61a39f8b6112030f84d2e385c.exe
PID 1404 wrote to memory of 584	1404	530d1ec61a39f8b6112030f84d2e385c.exe	530d1ec61a39f8b6112030f84d2e385c.exe
PID 1404 wrote to memory of 584	1404	530d1ec61a39f8b6112030f84d2e385c.exe	530d1ec61a39f8b6112030f84d2e385c.exe
PID 1404 wrote to memory of 584	1404	530d1ec61a39f8b6112030f84d2e385c.exe	530d1ec61a39f8b6112030f84d2e385c.exe
PID 1404 wrote to memory of 584	1404	530d1ec61a39f8b6112030f84d2e385c.exe	530d1ec61a39f8b6112030f84d2e385c.exe
PID 1404 wrote to memory of 584	1404	530d1ec61a39f8b6112030f84d2e385c.exe	530d1ec61a39f8b6112030f84d2e385c.exe
PID 1404 wrote to memory of 584	1404	530d1ec61a39f8b6112030f84d2e385c.exe	530d1ec61a39f8b6112030f84d2e385c.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads